- http://www.theregist...r_exploitation/15 February 2008 - "Cybercriminals are stepping up their efforts to exploit vulnerabilities in web browsers to spread malware using drive-by download techniques. Research by Google's anti-malware team on three million unique URLs on more than 180,000 websites automatically installed malware onto vulnerable PCs. Hackers are increasingly trying to trick search sites into pointing surfers onto maliciously constructed sites. More than one per cent of all search results contain at least one result that points to malicious content, Google reports*, adding that incidents of such attacks has grown steadily over recent months and continues to rise. Google's team also reports that two per cent of malicious websites are delivering malware via tainted banner ads. Israeli security firm Finjan has also observed a rise in the tactic over recent months, noting that many malicious ads are served from legitimate websites. A security report from IBM's X-Force division said cybercriminals are "stealing the identities and controlling the computers of consumers at a rate never before seen on the internet"..."* http://googleonlines...oint-to-us.html

- http://www.secprodon...articles/58887/February 28, 2008 - "...Hacking continues to evolve in sophistication and the Web browser now presents an opening for sensitive information to be stolen by increasingly simple methods. This includes basic coding that allows malicious Web sites to automatically steal sensitive information from visitors. Commonly associated with "seedy" Web sites ("warez," gambling and pornography), the threat of browser-based attacks has expanded to more "acceptable" sites that might include social networking, religious organization and university sites. Further complicating the issue is the high demand for browser functionality that often outweighs the demand for security. Many well-known and useful technologies that are integrated with current browser environments, including Flash, ActiveX, QuickTime, Java and JavaScript, each pose a potential attack vector into the enterprise. Other vulnerabilities include how browsers themselves handle particular pieces of code, such as iFrames, whose weaknesses have been known to cause massive incidents in enterprises when exploited... To help thwart browser-based security threats, IT security professionals increasingly are focusing resources and attention at better protecting the Web browser through hardy URL filtering solutions. These Web content filtering solutions block sites that are not related to business activities, greatly reducing the risk of browser-related infections. However, simple filtering methods will not completely eliminate the malware danger. More sophisticated solutions, such as anti-malware, automated code filtering and botnet detection, are currently being added to Web filtering technologies in an effort to thwart complex browser-related attacks."

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Google - scope of drive-by malware is 'significant'- http://preview.tinyurl.com/2ks9cw03/03/2008 (Network World) - "How ironic that Google allows you to initiate a Web search by clicking on a button labeled "I'm Feeling Lucky." The button is supposed to take you to the first Web site that turns up in your search. Instead, it just might take you to malware hell. In a preliminary report issued by Google in early February (see All Your iFrames Point to Us in the Google blog), researchers reveal the depth of the worldwide malware problem and conclude “the scope of the problem is significant”... Not long ago, wide-scale attacks that took aim at overwhelming computing resources were the preferred game plan. Such attacks use a “push” model. As network tools got better at defending against denial-of-service attacks, the bad guys adopted a “pull” model that has users inadvertently downloading unwanted payloads... For example, clicking on a link to an e-card that turns out to be bogus. The second, more ominous method is to automatically deliver the payload when the user lands on a compromised Web page. Worst of all is that landing on a malicious site is often completely out of the hands of the Web surfer, as he may actually be taken there without his knowledge... Seemingly benign Web sites – perhaps the kind that you visit everyday for work or pleasure – have the ability to deliver dangerous malware payloads. Suddenly, I don’t feel so lucky anymore..."

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

- http://www.f-secure....s/00001396.htmlMarch 5, 2008 - "ZDNet Asia is one of my bookmarked online resources that I frequently visit. The site is NOT compromised per se; rather, their site's search engine was abused by an attacker with queries of popular keywords. Leveraging on the fact that the site is, legitimate, and has high page ranks, the popular search engines are returning some of these 'iFRAME'ed results in the first few pages of the search results. And the objective? To get the unsuspecting user to click on the link... The last time we checked, 20,600 cached pages loading the iFRAME was found. Upon clicking on the malicious link, you get redirected to some Russian Business Network's IPs and RBN* is notoriously known for hosting not only malware but also rouge antivirus and antispyware applications. At the end of the redirects, the unsuspecting user might be a victim of a Zlob trojan. We detect it as Trojan-Downloader:W32/Zlob.HOG."(Screenshot available at the URL above.)

- http://www.theregist...e_piggybacking/6 March 2008 - "Updated: Hackers have found a new way to get Google to point to malicious websites with the help of unwitting websites such as TorrentReactor, ZDNet Asia and several other CNET-owned properties. As a result, more than 101,000 Google search results that appeared to lead to pages of legitimate sites actually directed end users to sites that attempted to install malware... Almost 52,000 Google results contained such redirects for ZDNet Asia... There were almost 50,000 poisoned links for TV.com sites and a handful for News.com and MySimon.com..."

- http://www.symantec....learnabout.html"On March 4, 2008 reports of an IFRAME attack coming from ZDNet Asia began to surface. Attackers appear to have abused the ZDNet search engine's cache by exploiting a script injection issue which is then being cached in Google. Clicking the affected link in Google will cause the browser to be redirected to a malicious site which attempts to install a rogue ActiveX control. On March 6, 2008 the research that discovered the initial attack published an update stating that a number of CNET sites including TV.com, News.com and MySimon.com are also affected by a similar issue. More CNET Sites Under IFRAME Attack - http://ddanchev.blog...01_archive.htmlFraudsters piggyback on search engines - http://www.securityfocus.com/brief/695 "

Edited by apluswebmaster, 06 March 2008 - 05:17 PM.

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

- http://www.securityp...mp;Categoryid=1March 7, 2008 - "Today, e-crime is the domain of organised gangs, often from eastern Europe or China. They have just one motive. Now it’s all about making money. The main targets of today’s hackers are e-commerce web sites and the customer databases behind them. Databases that hold credit card numbers, expiry dates, PINs, addresses, and everything else that’s needed to empty a victim’s bank account. Their operations are so slick that stolen data is exploited within seconds of it being submitted by unwitting victims. The big growth area in e-commerce right now is in the use of web-based applications to replace traditional over-the-counter or telephone-based transactions. Hackers have, understandably, latched onto this. According to Gartner, 75% of security breaches are due to flaws in software. Primarily because those applications have been put together as quickly as possible in order to get a working system out there, without due regard being given to the security implications. As the hackers continually attempt to up their game, the securities and futures industry in the US recorded, in 2007, a 150% annual increase in the amount of suspicious activity detected on its systems... To assist developers in ensuring that they write secure applications, various companies produce automatic software solutions that can help. These include code analysers that automatically scan source code for possible security issues. Others sit between web browser and server on your development network, analysing data flows and highlighting any potential problems, such as an opportunity for a hacker to redirect a web form to their own site. The internet is here to stay, as is internet crime..."

Edited by apluswebmaster, 07 March 2008 - 10:44 AM.

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

- http://www.f-secure....s/00001398.htmlMarch 7, 2008 - "A year or two ago, the malware author's preferred way of spreading their wares was via e-mail attachments. We all remember mass outbreaks like Bagle, Mydoom and Warezov. Well, sending EXE attachments in e-mail doesn't work anymore. Almost every organization is now dropping such risky attachments from their e-mail traffic. So virus writers have made a clear shift away from e-mail attachments to the Web: drive-by-downloads. This attack often still starts with an e-mail spam run; there's just no attachments in the e-mail anymore as it has been replaced by a web link. Some of these malicious web sites use exploits to infect you just by visiting a web page, others use compelling stories to fool you into downloading and running a program from the page. Many have missed this shift of attacks from e-mail to the web. There's a lot of companies measuring their risk of getting infected by looking at the amount of stopped attachments at their e-mail gateway. Those numbers are definitely going down, but the actual risk of getting infected probably isn't. Those organizations that are not scanning their web traffic for malware should seriously consider starting to do it, right now. However, virus writers are moving again. We're now seeing more and more malicious e-mails that link to malware — not via HTTP but via FTP links. Case in point, a fake Hallmark greeting card spam we saw today... the link takes you to an owned computer which has an FTP site setup on it. And when the executable is downloaded, it turns out to be a Zapchast mIRC-bot variant. Better make sure your gateway scanner is configured to scan FTP traffic as well..."

(Screenshots available at the URL above.)

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

- http://www.securewor...php/2008/03/07/March 7, 2008 - "...The modern web browser is an incredible, complicated piece of software with a large attack surface. Throw on some third party software like ActiveX controls (most of which are chock full of buffer overflows) and you have a hacker’s playground. To make matters worse, all modern day browsers contain JavaScript interpreters which give attackers the ability to obfuscate their attacks in an infinite number of ways. Luckily there is a method for users to fight back against the majority of these JavaScript- based attacks: No Script (Firefox) and Trusted Sites (Internet Explorer). These methods take the same approach to security: Enumerating the good. Instead of playing whack-a-mole with all the new type of attacks that appear you allow the list of sites where JavaScript is allowed to come from. To do this with Internet Explorer you must first disable active scripting for web sites in the “Internet” zone and then add trusted commonly access pages to the “Trusted Sites” zone. This change can be done through Active Directory and pushed out to all computers in your organization. To achieve the same effect in Firefox you must install the No Script extension. By default this plug-in will block all JavaScript, java and flash (no more flash ads) content. You can then enable this content on a per page basis or import a list of trusted sites. By using either one of these methods you will be able to block the vast majority of browser-based attacks."

Controlling ActiveX Controls- http://www.securityfocus.com/blogs/6712008-03-13 - "...here are some quick thoughts on why browser accessible ActiveX controls are so frustrating: 1. ActiveX controls aren’t (usually) tied to the websites that installed them.Meaning, any website can instantiate one and communicate with it. And by communicate with it, I mean perform memory corruption attacks that lead to remote code execution. 2. They are often written poorly.Even more poorly than most 3rd party software. Overflows, arbitrary file access, you name it. You could probably find an ActiveX control that is actually vulnerable to every bug class. 3. They persist (and can be difficult to remove)...After they get installed, you forget about it. Forever. Long after you have even logged into the website that convinced you to install it. Just waiting for someone to take advantage of issues 1 and 2 to make you part of their botnet. 4. They can be difficult to update.Unlike a lot of software, ActiveX controls rarely have auto-update functionality. As a result, most people that are vulnerable, stay that way. 5. They are rarely necessary.The worst part is, ActiveX controls are often add-ons that no one really needed and wouldn’t miss if they disappeared. A lot of times that I have seen them used, they were mostly there to make a UI feel more Win32 and less webby. The risk to benefit ratio has rarely been worth it..."

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

- http://www.symantec....learnabout.html(03.20.2008) - "...DeepSight Threat Analyst Team is currently monitoring a number of ongoing mass SQL-injection attacks that are manipulating victim servers to host malicious content to browsing clients... Clients are advised to browse using strict security policies. The following list of strategies may prevent or hamper an attack: - Run browser software with the least privileges possible. - Disable JavaScript, IFRAMEs, and ActiveX controls. - Enable OS security mechanisms such as Data Execution Prevention (DEP). - Ensure that browsing software is up to date. - Filter all web activity through security products such as an Intrusion Prevention systems."

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Drive-by-downloads now the primary threat from hacks- http://www.f-secure....s/00001408.htmlMarch 31, 2008 - "...Nowadays sending .EXE attachments in e-mail doesn't work so well for the criminals because almost every company and organization is filtering out such risky attachments from their e-mail traffic. The criminals’ new preferred way of spreading malware is by drive-by downloads on the Web. These attacks often still start with an e-mail spam run but the attachment in the e-mail has been replaced by a web link, which takes you to the malicious web site. So instead of getting infected over SMTP, you get infected over HTTP. Infection by a drive-by download can happen automatically just by visiting a web site, unless you have a fully patched operating system, browser and browser plug-ins. Unfortunately, most people have some vulnerabilities in their systems. Infection can also take place when you are fooled into manually clicking on a download and running a program from the web page that contains the malware. There are several methods criminals use to gather traffic to these websites. - A common approach is to launch an e-mail spam campaign containing messages that tempt people to click on a link...- Another method used by criminals is to create many web pages with thousands of different keywords which are indexed by Google, and then simply wait for people to visit these sites...- The third method of distributing malware involves the criminals hacking into existing high profile, high traffic web sites. Unlike the joke defacements that some hackers played on the front pages of prominent web sites in the past, today’s criminal hackers don’t change the front page at all. They simply insert a line of javascript on the front page which uses an exploit to infect your machine when you go there... This has happened to the web sites of some popular magazines which can have a million users every single day... - Another vector for drive-by downloads are infiltrated ad networks. We are seeing more and more advertising displayed on high-profile websites. By infiltrating the ad networks, the criminals don’t have to hack a site but their exploit code will still be shown to millions of users, often without the knowledge of the webmaster of those sites.

It is important to be aware of this shift from SMTP to HTTP infections, which can be exploited by the criminals in many ways. Companies often measure their risk of getting infected by looking at the amount of stopped attachments at their e-mail gateway. Those numbers are definitely going down, but the actual risk of getting infected probably isn't. Individuals and companies should therefore be scanning their web traffic for malware – as well as filtering their FTP traffic. In parallel to the switch from SMTP to HTTP as a way of spreading malware, we are now also seeing more and more malicious e-mails that link to malware via FTP links..."

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

- http://www.f-secure....s/00001411.htmlApril 1, 2008 - "We've seen tons of banking trojans lately, but now we've run into something quite unique. This new banking trojan was found today from a drive-by-download site. We've added detection for it as Win32.Pril.A It not only infects the MBR of the machine, but also reflashes the boot code in the Flash BIOS, making disinfection problematic. Once an infected machine is online, the trojan monitors the users actions, waiting him to go to go to one of several hundred online banks, located all over the world. Once the user has logged on, the banking trojan uses PCMCIA to inject code into the VGA! As an end result, the trojan creates a man-in-the-browser attack against the victim. Now, the really surprising part is what the trojan does. Normal banking trojans would insert extra transactions or change the deposit account numbers on-the-fly. However, Win32.Pril.A doesn't withdraw money from you - it actually inserts money TO your account. This looked so weird we had to test it several times, on all of our accounts. The drive-by-download site is still up..."

(Screenshot available at the URL above.)

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

- http://www.f-secure....s/00001412.htmlApril 2, 2008 - "Injected iframes into legitimate sites are becoming more and more common these days. One of the latest targets is a Chinese government site... Please note that while the site adminstrators have been notified, the injected iframe is still present in the site at the time of this posting. The iframe downloads a page from another chinese site that redirects the browser to a .com site - that contains tons of new iframes. End result of this iframe jungle is that exploits try to download executables to the users computer... Drive-by-downloads are getting more sophisticated nowadays with this case using several exploits including MDAC and Real Player exploits. As always, remember safe computing pratices even when on familiar grounds, lest you find yourself iframed... Turns out that sony.com.cn seems to have similar iframe's added to some of it's page as well. We have been in touch with Sony and CERTs on this..."

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

-Mebroot- Spreading through High-Traffic, Compromised Web Sites- http://preview.tinyurl.com/yrxcymApril 2, 2008 (Symantec Security Response Weblog) - "Symantec is tracking more and more high-traffic Web sites that become compromised and then used to spread malicious code. After the breach our MSS team spotted out on Tata*, we have been notified of another Web site with a similar issue. Today the Italian Web site www .emule-italia .it had been compromised and was hosting an obfuscated script... The script, when deobfuscated, was showing an -iframe- pointing to http ://[REMOVED]xes.com/ld/grb, which was redirecting users to a server (http ://[REMOVED]fir.com/cgi-bin/mail.cgi?p=grobin) hosting the Neosploit tool. Neosploit is forcing vulnerable PCs to download and install the latest version of the infamous Trojan.Mebroot. Symantec notified the ISP involved about this issue and the ISP has since worked to remove the malicious content from the affected Web site. High-traffic Web sites are becoming more and more targeted, because the huge number of visits they receive turns into a huge number of machines getting compromised in a short period of time. Therefore, application security is even more important for these sites: - periodic penetration testing, - code review, and- sound application security practices...in the overall development lifecycle can protect site owners [and visitors, too!] from these kind of threats."* http://preview.tinyurl.com/yqhseh(Symantec Security Response Weblog - February 28, 2008)

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

nmidahena- http://isc.sans.org/...ml?storyid=4240Last Updated: 2008-04-04 16:06:43 UTC - "In case you haven't done so yet, consider blocking nmidahena-dot-com on your proxy. And don't go there to find out if it is bad. It is. Several high profile sites have apparently been hit with what is a continuation of the "iframe injection" that we've covered repeatedly*."* http://isc.sans.org/...ml?storyid=4210Update on IFRAME SEO Poisoning

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

- http://www.symantec....rid=20080407_01April 8, 2008 – "...Today, hackers are compromising legitimate Web sites and using them as a distribution medium to attack home and enterprise computers. Symantec noticed that attackers are particularly targeting sites that are likely to be trusted by end users, such as social networking sites. Attackers are leveraging site-specific vulnerabilities that can then be used as a means for launching other attacks. During the last six months of 2007, there were 11,253 site specific cross-site scripting vulnerabilities reported on the Internet; these represent vulnerabilities in individual Web sites. However, only 473 (about 4 percent) of them had been patched by the administrator of the affected Web site during the same period, representing an enormous window of opportunity for hackers looking to launch attacks... “Avoiding the dark alleys of the Internet was sufficient advice in years past”... “Today's criminal is focused on compromising legitimate Web sites to launch attacks on end-users, which underscores the importance of maintaining a strong security posture no matter where you go and what you do on the Internet”..."

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

- http://preview.tinyurl.com/45hmwgApril 10, 2008 (Symantec Security Response Weblog) - "...Since the Web browser is the primary gateway to the Internet for most users, Web pages that they visit frequently... are a useful means of compromising computers for attackers... Because of the success of kits like MPack and Ice-Pack, it seems that malicious code authors have begun to incorporate similar features in the threats they create... two of the top ten -new- malicious code families modified Web pages. There are two ways in which these samples modify Web pages. The first is that the malicious code adds its own code to a Web page so that other people who view the page may become infected. The second way is that an iframe tag is added to the Web page that redirects users to another Web site. Usually this Web site tries to exploit Web browser and plug-in vulnerabilities in a shotgun-style attack*. This type of attack is similar to the one employed by MPack... As more threats use the Web—in particular, browsers and their plug-ins—to install themselves on computers, users need to be careful even when visiting sites they know and trust. Make sure your Web browser is kept up to date with the latest security patches. Just as important is to make sure that any browser plug-ins you have installed are also fully patched. And, as always, make sure you have antivirus software running with the most recent definitions, as well a good intrusion prevention system.*A shotgun attack is one where a malicious Web page attempts to exploit multiple vulnerabilities at once in order to increase the chances of a user being compromised."

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

- http://www.symantec....eatconlearn.jsp"The ThreatCon is currently at Level 2: Elevated.The ThreatCon is currently at level 2. On April 8, 2008, Adobe released a security bulletin for Flash Player that includes a vulnerability that can remote attackers can leverage to execute arbitrary code. Attackers could create a malicious Flash object embedded in a web page or email to gain access to a vulnerable system. Adobe has reported that Flash Player 9.0.115.0 (and earlier) and 8.0.39.0 (and earlier) are affected. Patches are available. The vulnerabilities have not been seen in the wild. Adobe considers this a 'critical' update and recommends that customers upgrade to Flash Player 9.0.124.0 to fix the issue. Adobe's security bulletin: ( http://www.adobe.com.../apsb08-11.html )Bugtraq entry: ( http://www.securityf...8694/references )"

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

- http://preview.tinyurl.com/67urrfApril 23, 2008 (Infoworld) - "...Web sites are rife with security problems: In 2006, the Web Application Security Consortium surveyed 31,373 sites and found that 85.57 percent were vulnerable to cross-site scripting attacks, 26.38 were vulnerable to SQL injection and 15.70 percent had faults that could let an attacker steal information from databases... Vendors have typically only tested their software patches on machines in default configurations, which isn't representative of the real IT world, Paller said. Many businesses use custom applications with custom configurations, which require rigorous testing to ensure a patch won't break their applications. The U.S. Air Force was one of the first organizations that tried a new approach when contracting IT systems with Microsoft and other application vendors about two years ago to enable speedier patching, Paller said. The Air Force's CIO at the time, John M. Gilligan, consolidated 38 different IT contracts into one and ordered all new systems to be delivered in the same, secure configuration. Then, he ordered that application vendors certify that their applications would work on the secure configurations, Paller said. Then Gilligan took his case to Microsoft. At the time, it took the Air Force about 57 days between the time a patch was released until their 450,000 systems were up-to-date. Gilligan wanted Microsoft to test its patches on machines with the same configuration as the Air Force's, shifting the cumbersome testing process back to the vendor. The negotiations, which didn't start off well, culminated with a meeting with CEO Steve Ballmer. "The story is that he [Gilligan] use a four-letter word in the meeting," Paller said. "You know what the four-letter word was? Unix." Gilligan won. Now, the Air Force can patch in about 72 hours now, and they're looking to cut that to 24 hours, Paller said. The idea was so successful that as of Feb. 1, the U.S. government implemented the same conditions for all of its agencies..."

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Cross-site scripting also used in Mass Compromises- http://blog.trendmic...ss-compromises/May 31, 2008 - "We were about to investigate further on malicious activities related to banner82(dot)com/b.js but the URL was already inaccessible around Tuesday. Soon enough the malicious script in www(dot)adw95(dot)com caught our interest. A rough survey of the sites compromised by this script reveal that the sites involved some cross-site scripting (XSS*), or SQL injection vulnerabilities, or a combination of both... XSS vulnerabilities can cause a variety of problems for the casual web surfer. These problems range in severity from mere annoyance to complete credential compromise. Some XSS attacks incorporate disclosure of the user’s session cookies, allowing an attack perpetrator to have complete control over the victim’s session and to (in effect) take over the account & hijack the HTTP session.XSS attacks may also include redirecting the user to some other page or website, and modifying the content of a HTTP session. Other damaging risks include the exposure of the victim’s files, and subsequently the installation of Trojans and other damaging malware — and to what purpose? One can only guess because once the compromise is successful, the criminal’s next actions are open to unlimited possibility.An XSS attacker utilizes varying methods to encode the malicious script in order to be less conspicuous to users and administrators alike. There are an unaccounted number of variations for these types of attacks, and XSS attacks can come in the form of embedded JavaScript — one of the more common implementations. But be forewarned — any embedded active content is also a potential source of danger, including: ActiveX (OLE), VBscript, Flash, and more... Mass compromises seem to be all the rage these days, and exploiting XSS vulnerabilities are just one of the methods criminals can employ to silently worm their way into users’ PCs..."* http://en.wikipedia....ploit_scenarios

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Malware redirects...- http://sunbeltblog.b...to-dogpile.htmlJune 08, 2008 - "First Google, then DoubleClick* redirects, now Dogpile is a new favorite for XSS redirects by malware authors..." * http://sunbeltblog.b...cts-now-it.htmlJune 02, 2008 - "On May 25th, we noticed that spammers and malware distributors had moved from using Google redirects, to Doubleclick redirects. If you’re tracking this stuff, you’re undoubtedly seeing extensive use of these redirects..."

(Screenshots available at both URLs above.)

:shock:

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Malicious doorways redirecting to malware- http://ddanchev.blog...recting-to.htmlJune 16, 2008 - "...bottom line - malicious doorways are slowly starting to emerge thanks to the convergence of traffic redirection and management tools with web malware exploitation kits, and just like we've been seeing the adaptation of spamming tools and approaches for phishing purposes, next we're going to see the development of infrastructure management kits, a feature that DIY phishing kits* are starting to take into consideration as well."* http://ddanchev.blog...ducing-new.html

Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

40% of Web users surf With Unsafe Browsers- http://preview.tinyurl.com/4nhr4nJuly 1, 2008 (blog.washingtonpost.com/securityfix) - "A comprehensive new study of online surfing habits released today found that only 60 percent of the planet's Internet users surf the Web with the latest, most-secure versions of their preferred Web browsers. The study, conducted by researchers from Google, IBM and the Communication Systems Group in Switzerland, relied on data from server logs provided by Google for search requests between Jan. 2007 and June 2008. The researchers found that of the 1.4 billion Internet users worldwide at the end of March 2008, 576 million surfed with outdated versions of Web browsers..."

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

- https://forums2.syma...r/article-id/1303-24-2009 - "... simply visiting your favorite website can either lead to malware silently being installed on your computer without ever clicking on anything, or being plagued by misleading applications, such as fake antivirus software, seems to be a surprise to many users and IT managers alike... Our recently published Web-based attacks white paper* highlights some of the top Web threat trends that our security analysts observed during 2008... When your system is compromised, there is usually no indication—it happens silently without flashing lights or having to click on anything. All it takes is one vulnerable browser, multimedia application, document viewer, or browser plug-in and your computer can be compromised. I spoke with one user who couldn’t believe that one of the top 100 sites on the Internet would be attacking his computer. There was another customer whose own Web server kept attacking and infecting his computer... Web-based attacks are occurring everywhere and users’ computers are being attacked and infected in enterprise and consumer environments alike..."

TinyURL abuse... E-cards lead to malware...- http://blog.trendmic...lt-dating-site/Mar. 24, 2009 - "The misuse of legitimate services continue as after recent reports of cybercriminals exploitng the redirecting service TinyURL to slip past spam filters, legitimate e-card services are now being used. We have received email samples that arrive as ecards... The greeting cards were from Regards.com, the web’s largest collection of free greeting cards. The email claims to be sent by a user under an alias..."(Screenshot available at the URL above.)________________________________________

See: http://tinyurl.com/p...w.php?disable=0"Don't want to be instantly redirected to a TinyURL and instead want to see where it's going before going to the site? Not a problem with our preview feature."

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Browsers under attack - 2009- http://www.trustedso...Browser-AttacksJune 4, 2009 - "... this paper* deals with the many complexities of browser security and attacks. From the paper:Web Browsers: An Emerging Platform Under Attack'The widespread use of highly interactive “rich client” web applications for e-commerce, business networking, and online collaboration has finally catapulted web browsers from straightforward HTML viewers to a full-blown software platform. And as corporate users are performing a significant portion of their work on the web, whether it’s researching or collaborating, the safety of the underlying platform is critical to the company’s success.' Other areas the paper covers include:• The shift in spam to mainly malicious web link usage• “Web 2.0” sites—whether weblogs, social networking or portal sites—are increasingly spammed with links to malicious sites• Legitimate sites are compromised and misused to either host malicious code or link to a malicious website• Use of malicious video banners placed in advertisement networks• Use of popular search terms to advertise and drive (search query) traffic to a malicious website. In a recent case in Germany, attackers used Google AdWords to attract users who searched for “flash player” to the attacker’s fake Adobe-look-alike site ..."* http://www.mcafee.co...owsers_w_en.pdf

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

More 0-Day exploits for browsers...- http://blog.trendmic...x-and-ie-flaws/July 21, 2009 - "Earlier today... spotted several malicious script files that exploited Mozilla Firefox and Microsoft Internet Explorer vulnerabilities:• JS_DIREKTSHO.B exploits a vulnerability in Microsoft Video Streaming ActiveX control to download other possibly malicious files.• JS_FOXFIR.A accesses a website to download JS_SHELLCODE.BV. In turn JS_SHELLCODE.BV exploits a vulnerability in Firefox 3.5 to download WORM_KILLAV.AKN.• JS_SHELLCODE.BU exploits a vulnerability in Microsoft OWC to download JS_SHELLCODE.BV.Initial analysis... shows that the scripts above may be unknowingly downloaded through either Firefox or Internet Explorer .According to Mozilla, a Firefox user reported suffering from a crash that developers determined could result in an exploitable memory corruption problem. In certain cases after a return from a native function, the just-in-time (JIT) compiler could get into a corrupt state. This could then be exploited by an attacker to run arbitrary code. However, this vulnerability does not affect earlier versions of Firefox, which do not support the JIT feature. Firefox 3.5 users can avoid this vulnerability by disabling the JIT compiler as described in the Mozilla Security Blog*. This workaround is, however, unnecessary for Firefox 3.5.1 users.* http://blog.mozilla....-in-firefox-35/> On the other hand, the vulnerability in Microsoft Video ActiveX Control allows remote code execution if a user views a specially crafted web page with Internet Explorer, executing the ActiveX control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.> Microsoft is aware of attacks attempting to exploit the said vulnerabilities and advises its customers to prevent the OWC from running either manually or automatically using the solution found in Microsoft Knowledge Base Article 973472*.* http://support.micro...3472#FixItForMeTrend Micro advises users to refer to the following pages to download updates/patches for the vulnerabilities the aforementioned script files exploit:• Firefox: Mozilla Foundation Security Advisory 2009-41http://www.mozilla.o...fsa2009-41.html• OWC: Microsoft Security Advisory (973472)http://www.microsoft...ory/973472.mspx• DirectShow: Microsoft Security Bulletin MS09-032 http://www.microsoft...n/MS09-032.mspx ..."

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Multi-browser hole exploited by banking trojan- http://news.cnet.com...363836-245.htmlSeptember 29, 2009 - "Researchers at security firm Finjan have discovered details of a new type of banking Trojan horse that doesn't just steal your bank log in credentials but actually steals money from your account while you are logged in and displays a fake balance. The bank Trojan, dubbed URLZone, has features designed to thwart fraud detection systems which are triggered by unusual transactions, Yuval Ben-Itzhak, chief technology officer at Finjan, said in an interview Tuesday. For instance, the software is programmed to calculate on-the-fly how much money to steal from an account based on how much money is available. It exploits a hole in Firefox, Internet Explorer 6, IE7, IE8, and Opera, and it is different from previously reported banking Trojans, said Ben-Itzhak. The Trojan runs an executable only on Windows systems, he said. The executable can come via a number of avenues, including malicious JavaScript or an Adobe PDF, he added. The specific Trojan Finjan researchers analyzed targeted customers of unnamed German banks, according to the latest Finjan report*. It was linked back to a command-and-control server in Ukraine that was used to send instructions to the Trojan software sitting inside infected PCs. Finjan has notified German law enforcement... This is the first Trojan Finjan has come across that hijacks a victim's browser session, steals the money while the victim is doing online banking, and then covers its tracks by modifying information displayed to the victim, all in real time, Ben-Itzhak said. People should keep their antivirus, operating system, browser and other software up to date to protect against this type of attack, he said"* http://www.finjan.co...nt.aspx?id=1367"... cybercrooks used a combination of Trojans and money mules to rake in hundreds of thousands of Euros and to minimize detection by the anti-fraud systems used by banks. After infection, a bank Trojan was installed on the victims’ machines and started communication with its Command & Control (C&C) server for instructions. These instructions included the amount to be stolen from specific bank accounts and to which money mule-accounts the stolen money should be transferred. The use of this Anti anti-fraud method signals a new trend in cybercrime."- http://www.finjan.co...px?EntryId=2345Sep 30, 2009

Edited by apluswebmaster, 01 October 2009 - 09:47 AM.

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Rogue AV spreads thru XSS attacks in browsers- http://www.theregist...gue_av_attacks/16 December 2009 - "Malware purveyors are exploiting web vulnerabilities in appleinsider .com, lawyer .com, news .com.au and a dozen other sites to foist rogue anti-virus on unsuspecting netizens. The ongoing attacks are notable because they use exploits based on XSS, or cross-site scripting, to hide malware links inside the URLs of trusted sites... As a result, people who expect to visit sites they know and trust are connected to a page that tries to trick them into thinking their computer is infected... The links work because appleinsider .com and the rest of the sites being abused fail to filter out harmful characters used in XSS attacks. More about the attack is available from the Zscaler blog here*."* http://research.zsca...ed-iframes.html

Malicious JavaScript infects websites- http://blog.trendmic...fects-websites/Dec. 31, 2009 - "Trend Micro threat analysts were alerted to the discovery of several compromised websites inserted with a JavaScript. The JavaScript is detected by Trend Micro as JS_AGENT.AOEQ. When executed, JS_AGENT.AOEQ uses a defer attribute, which enables it to delay executing its routine, that is, -redirecting- the user to several malicious websites. This is done so users will not suspect that they are already infected. In addition, this malicious JS is hosted on PHP servers. If a user visits an infected website, it will display a white screen... Upon analysis, it was observed that the code (found on most infected sites) begins with /*GNUGPL*/try{window.onload=function(){var or /*CODE1*/ try{window.onload = function(){va. According to the Unmask Parasites blog*, the cybercriminals behind this attack incorporated certain legitimate sites’ names such as Google, Bing, and WordPress, among others, in their code to appear as a legitimate URL..."* http://blog.unmaskparasites.com/

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Browser -redirects- on the Web...> http://www.spywarein...ndpost&p=713568January 25, 2010 - "It has been a month since we added detection for Troj/JSRedir-AK* and figures generated today show that over 40% of all web-based detections have been from this malicious code. Translating the numbers into a more human comprehensible form: 1 site every 15 secs was being detected as Troj/JSRedir-AK... will redirect the web browser to other malicious websites..."

Multiple Vendor WebKit HTML Caption Use After Free Vulnerability- http://atlas.arbor.n...index#418501501Severity: Elevated SeverityPublished: Wednesday, June 23, 2010 19:12A use-after-free issue has been found in Google Chrome (3.0.195.38 and 4.0.249.78), and Safari 4.0.4 (Windows XP/OS X 10.5.8), specifically in the WebKit core. A malicious webpage can force the browser to execute arbitrary code on the victim's PC. Updated software has been released to address this issue...

- http://techblog.avir...r-updates-2/en/July 28, 2010 - "... web browsers pose the highest risk for getting attacked by cyber criminals, they should be kept up-to-date and therefore the updates should be installed ASAP."

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Browser security update tricks- http://www.symantec....ty-update-trick04 Oct 2010 - "... attackers use social engineering techniques to scare users into purchasing a misleading application. This time around, we have come across a couple of websites that are using a slightly different trick to mislead users. In order to trick users, these websites used bogus pages that look similar to those presented by security features or technologies when one is about to visit a malicious page. However, it presented a “Download Updates!!” button, unlike Google’s “Get me out of here” button... Regardless of what browser is used, the user is presented with the same misleading dialog box that seemingly forces the download of Firefox and Chrome updates. This misleading dialog box keeps on popping up, even if the user clicks on cancel button... The downloaded executable turns out to be a variant of the infamous misleading application called Security Tool. Once executed, it displays exaggerated pop-ups in an attempt to scare users... Unlike standard misleading application distribution websites, these sites don’t rely only on social engineering tricks to mislead users. If more savvy users don’t download the misleading application executable, then these websites will redirect users to a website that, in turn, further redirects to a malicious website that is hosting the infamous Phoenix exploit kit. Phoenix is an automated exploit kit that uses heavily obfuscated JavaScript code to evade security products... These exploit kits are used to deliver malware after exploiting a vulnerability, mostly those affecting Web browsers. If users don’t somehow fall victim to this latest browser update trick, then the attackers have the fall back of delivering misleading applications through these exploit kits..."(Screenshots available at the URL above.)

Zombie infection kit - Success rates / Victim browser statistics:- http://labs.m86secur...bie_browser.pngOctober 15th, 2010- http://labs.m86secur...ted-by-zombies/"... effectively used in many other exploit tool kits. Potential victims are forced to visit Zombie’s exploit page when their browser loads an IFrame placed on a compromised website. All of the vulnerabilities exploited by this kit have been patched... 15 percent... of ‘visitors’ were successfully exploited by the Zombie Infection Kit and made to download a malicious executable. Because Java vulnerabilities accounted for 60 percent of infections, a surprising nine percent of all visitors were infected just by having an old version of java installed..."Zombie infection kit - Success rates / IE6,7,8 - Java - Adobe PDF reader - Flash- http://labs.m86secur...zombie_nexp.png

Edited by AplusWebMaster, 22 January 2011 - 11:56 AM.

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Browser 'BITB' attack...- http://www.darkreadi...le/id/229218608Feb. 14, 2011 - "... spin-off of the proxy Trojan, keylogger, and man-in-the-browser (MITB) attack. The "boy-in-the-browser" (BITB) attack... targeting users visiting their banks, retailers, and even Google... spotted in the wild. BITB is basically a "dumbed-down" MITB in which the attacker infects a user with its Trojan, either via a drive-by download or by luring the user to click on an infected link on a site... Imperva's advisory on the attacks is here*."* http://www.imperva.c...he_Browser.htmlFeb. 14, 2011 - "... Nine Latin American banks were targeted..."

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Malware authors target Google Chrome- http://www.zdnet.com...gle-chrome/3162April 21, 2011 - "... malware authors have begun preying on users of alternative browsers to push dangerous software, including Trojans and scareware. The problem is that most malware attacks aren’t triggered by exploits that target vulnerabilities in code. Instead, according to one recent study, “users are four times more likely to come into contact with social engineering tactics as opposed to a site serving up an exploit.” I found a perfect example yesterday, thanks to an alert from Silverlight developer Kevin Dente. He had typed in a simple set of search terms—Silverlight datagrid reorder columns—at Google.com, using the Google Chrome browser on Windows... The first page of Google search results included several perfectly good links, but the sixth result was booby trapped... That led to a basic social engineering attack, but this one has a twist. It was customized for Chrome. If you’ve ever seen a Google Chrome security warning, you’ll recognize the distinctive, blood-red background, which this malware author has duplicated very effectively... After the fake scan is complete, another dialog box comes up, warning that “Google Chrome recommends you to install proper software”... When I submitted it to VirusTotal.com*, only five of the 42 engines correctly identified it as a suspicious file..."(Screenshots available at the URL above.)* http://www.virustota...b22b-1303383008File name: InstallInternetProtection_611.exeSubmission date: 2011-04-21 10:50:08 (UTC)Result: 8/42 (19.0%)

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

SpyEye targets Opera, Google Chrome...- http://krebsonsecuri...e-chrome-users/April 26, 2011 - "The latest version of the SpyEye trojan includes new capability specifically designed to steal sensitive data from Windows users surfing the Internet with the Google Chrome and Opera Web browsers*... Many people feel more secure using browsers like Chrome and Opera because they believe the browsers’ smaller market share makes them less of a target for cyber crooks. This latest SpyEye innovation is a good reminder that computer crooks are constantly looking for new ways to better monetize the resources they’ve already stolen..."* http://krebsonsecuri.../04/spychop.jpg

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

WebGL - browser security flaw...- http://www.cio.com/a...r_Security_FlawMay 9, 2011 - "The WebGL graphics technology turned on by default in Firefox and Chrome poses a serious security risk*... WebGL will not, however, run reliably on an unknown number of graphics cards, including Intel's integrated graphics and most ATI chipsets... Disabling WebGL varies from browser to browser but in Firefox involves setting a required value to "false" using the about:config command."* http://www.contextis...ces/blog/webgl/"... enabled by -default- in Firefox 4 and Google Chrome, and can be turned on in the latest builds of Safari..." (Flowchart available at the contextis.com URL above.)- http://www.theregist...ecurity_threat/"... In Firefox 4, type “about:config” (minus the quotes) into the address bar and set webgl.disabled to true. In Chrome, get to the command line of your operating system and add the --disable-webgl flag to the Chrome command. On a Windows machine, the command line would be "chrome.exe --disable-webgl".

WebGL security risks - updated- http://www.contextis...blog/webgl/faq/11 May 2011 - "... we are releasing the following further information to aid in the understanding of the issues... in the longer term, Context believes that browser vendors should, by default, disable WebGL from within their web browsers. We would like to see functionality included that would allow users to opt-in for WebGL applications that they trust on a case by case basis... reported these issues and other vulnerabilities to the Mozilla Security group who has raised a number of internal bug reports regarding the issues that we have found, including issues that we have -not- publicly disclosed. They have also passed the information onto Google for Chrome. The Mozilla Security Group has been very receptive to the issues that we have raised and have been very responsive to our concerns."(More detail at the contextis URL above.)

IE 0-day - all versions... cookiejacking- http://www.informati...endly=this-pageMay 26, 2011 - "... All versions of Internet Explorer on all versions of Windows are affected by the 0-day vulnerability, and are thus susceptible to cookiejacking. As the name implies, the attack is similar to clickjacking attacks, which trick users into clicking on innocuous-looking graphics or videos, to trigger arbitrary code execution. Cookiejacking takes that type of attack one step further, adding the zero-day vulnerability and some trickery to steal any cookie from a user's PC... To be successful, however, the attack must incorporate two details. First, it needs to know the victim's Windows username, to find the correct path to where cookies are stored... Second, an attacker needs to know which Windows operating system their victim is using, as each one stores cookies in different locations. Browsers, however, typically reveal this information via their navigator.userAgent object..."

Facebook and M$ de-cloak Chrome ...- http://blog.eset.com...rivacy-advocateJune 3, 2011 - "What’s wrong with this picture?... I am using Google’s incognito mode and Clicker knows exactly who I am!... Facebook “Instant Personalization” destroys Google Chrome’s “Incognito mode”. There is nothing incognito about opening a clean browser with no cookies and going to a website you have never visited before and being called by name with your picture on the web page. Facebook and “Instant Personalization” partner sites deliberately ignores your obvious and explicit instructions NOT to track you. In October 2010 Gigaom.com posted an article http://gigaom.com/20...ersonalization/ that claimed “Microsoft today launched social search features for Bing created in partnership with Facebook. The two companies are teaming up to take on their common enemy: Google.” Perhaps there is truth to that. It is mind-boggling that Microsoft’s Bing ran an end game around the Microsoft Internet Explorer team by also defeating IE9’s “InPrivate Browsing”... Mozilla was caught in the crossfire as Microsoft and Facebook sneak around Firefox’s Private browsing feature as well. Apple’s Safari browser’s privacy mode was also hunted down and shot. Let’s call it like it is. Facebook rolls out a “feature” that deliberately over-rides a user’s explicitly expressed desire to browse in privacy without tracking... You might be interested to see how much information your browser reveals by going to https://panopticlick.eff.org/ * and running their test... It is true that in the above example “Clicker.com” does offer to let me disable their unauthorized Facebook enabled spying, however this does not happen until private browsing has already been subverted by Facebook... Having worked at Microsoft I can imagine how completely frustrating it must be for internal Microsoft privacy advocates to have to stand idle and watch Bing override Internet Explorer’s “InPrivate” browsing feature. Perhaps for IE10 Microsoft can make more open labels and claims of what the browser can really do. The whole issue would have been avoided had Facebook had the decency to let users choose BEFORE they sabotage your browser and privacy."(Screenshot available at the eset URL above.)

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.